From 36d22d82aa202bb199967e9512281e9a53db42c9 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 21:33:14 +0200 Subject: Adding upstream version 115.7.0esr. Signed-off-by: Daniel Baumann --- js/src/jit-test/tests/jaeger/loops/bug651155.js | 6 +++ js/src/jit-test/tests/jaeger/loops/bug654393.js | 12 +++++ js/src/jit-test/tests/jaeger/loops/bug655854.js | 8 +++ js/src/jit-test/tests/jaeger/loops/bug658290.js | 8 +++ js/src/jit-test/tests/jaeger/loops/bug659452.js | 5 ++ js/src/jit-test/tests/jaeger/loops/bug668643.js | 12 +++++ js/src/jit-test/tests/jaeger/loops/bug671814.js | 12 +++++ js/src/jit-test/tests/jaeger/loops/bug680809.js | 8 +++ js/src/jit-test/tests/jaeger/loops/bug684621.js | 15 ++++++ js/src/jit-test/tests/jaeger/loops/hoist-01.js | 35 +++++++++++++ js/src/jit-test/tests/jaeger/loops/hoist-02.js | 12 +++++ js/src/jit-test/tests/jaeger/loops/hoist-03.js | 12 +++++ js/src/jit-test/tests/jaeger/loops/hoist-04.js | 18 +++++++ js/src/jit-test/tests/jaeger/loops/hoist-05.js | 19 +++++++ js/src/jit-test/tests/jaeger/loops/hoist-06.js | 14 +++++ js/src/jit-test/tests/jaeger/loops/hoist-07.js | 17 +++++++ js/src/jit-test/tests/jaeger/loops/hoist-08.js | 7 +++ js/src/jit-test/tests/jaeger/loops/hoist-09.js | 11 ++++ js/src/jit-test/tests/jaeger/loops/hoist-10.js | 39 ++++++++++++++ js/src/jit-test/tests/jaeger/loops/integer-1.js | 7 +++ js/src/jit-test/tests/jaeger/loops/integer-2.js | 10 ++++ js/src/jit-test/tests/jaeger/loops/integer-3.js | 7 +++ .../tests/jaeger/loops/multiply-by-int32min.js | 59 ++++++++++++++++++++++ js/src/jit-test/tests/jaeger/loops/property-1.js | 19 +++++++ 24 files changed, 372 insertions(+) create mode 100644 js/src/jit-test/tests/jaeger/loops/bug651155.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug654393.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug655854.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug658290.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug659452.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug668643.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug671814.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug680809.js create mode 100644 js/src/jit-test/tests/jaeger/loops/bug684621.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-01.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-02.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-03.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-04.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-05.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-06.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-07.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-08.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-09.js create mode 100644 js/src/jit-test/tests/jaeger/loops/hoist-10.js create mode 100644 js/src/jit-test/tests/jaeger/loops/integer-1.js create mode 100644 js/src/jit-test/tests/jaeger/loops/integer-2.js create mode 100644 js/src/jit-test/tests/jaeger/loops/integer-3.js create mode 100644 js/src/jit-test/tests/jaeger/loops/multiply-by-int32min.js create mode 100644 js/src/jit-test/tests/jaeger/loops/property-1.js (limited to 'js/src/jit-test/tests/jaeger/loops') diff --git a/js/src/jit-test/tests/jaeger/loops/bug651155.js b/js/src/jit-test/tests/jaeger/loops/bug651155.js new file mode 100644 index 0000000000..37c16fff19 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug651155.js @@ -0,0 +1,6 @@ +ForIn_2(); +function ForIn_2( object ) { + PropertyArray=new Array; + var PropertyArray = 'Do not assert: !cx->throwing'; + for ( i in object ) PropertyArray.length-1; +} diff --git a/js/src/jit-test/tests/jaeger/loops/bug654393.js b/js/src/jit-test/tests/jaeger/loops/bug654393.js new file mode 100644 index 0000000000..e603392a40 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug654393.js @@ -0,0 +1,12 @@ +var VERSION = "ECMA_2"; +DoWhile( + new DoWhileObject(false, false, false, VERSION) +); +function DoWhileObject( out1, out2, out3, in1 ) { + this.breakIn = in1 +} +function DoWhile(object) { + do { + if (object.breakIn) {} + } while(false); +} diff --git a/js/src/jit-test/tests/jaeger/loops/bug655854.js b/js/src/jit-test/tests/jaeger/loops/bug655854.js new file mode 100644 index 0000000000..81c7194314 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug655854.js @@ -0,0 +1,8 @@ + +function foo(a, b, c) { + var res = 0; + for (var b = 0; b < c; b++) + res += a[b]; + return res; +} +assertEq(foo([1,2,3], 0, 10), NaN); diff --git a/js/src/jit-test/tests/jaeger/loops/bug658290.js b/js/src/jit-test/tests/jaeger/loops/bug658290.js new file mode 100644 index 0000000000..cfb42066af --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug658290.js @@ -0,0 +1,8 @@ +var SECTION = "15.4.5.2-2"; +addCase(new Array, 0, Math, Math.pow(2, SECTION)); +var arg = "", i = 0; +var a = eval("new Array(" + arg + ")"); +addCase(a, i, +i + 1, Math.pow(2, 12) + i + 1, true); +function addCase(object, old_len, set_len, new_len, checkitems) { + for (var i = old_len; i < new_len; i++) if (object[i] != 0) {} +} diff --git a/js/src/jit-test/tests/jaeger/loops/bug659452.js b/js/src/jit-test/tests/jaeger/loops/bug659452.js new file mode 100644 index 0000000000..6cc3f4d465 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug659452.js @@ -0,0 +1,5 @@ +test(); +function test() { + var t = function () { return function printStatus() {}; }; + for (var j = 0; j < 10; j++) t["-1"] +} diff --git a/js/src/jit-test/tests/jaeger/loops/bug668643.js b/js/src/jit-test/tests/jaeger/loops/bug668643.js new file mode 100644 index 0000000000..fe41c7ffc7 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug668643.js @@ -0,0 +1,12 @@ + +function foo(a,n) { + var x = {a:[]}; + for (var i = 0; i < n; ) { + a[i]; + x.a[i]; + a[++i]; + } +} +var a = [1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0,1,2,3,4,5,6,7,8,9,0]; +var n = a.length; +foo(a,n); diff --git a/js/src/jit-test/tests/jaeger/loops/bug671814.js b/js/src/jit-test/tests/jaeger/loops/bug671814.js new file mode 100644 index 0000000000..69b581f772 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug671814.js @@ -0,0 +1,12 @@ +var ta = Int8Array([]); +function Int8Array(summary) { + summary.length; +} +function test() { + ctors = [ Int8Array ] + for (var i = 0; i < 10; i++) { + ctor = ctors[0] + b = ctor(0) + } +} +test(); diff --git a/js/src/jit-test/tests/jaeger/loops/bug680809.js b/js/src/jit-test/tests/jaeger/loops/bug680809.js new file mode 100644 index 0000000000..22bcbf3c46 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug680809.js @@ -0,0 +1,8 @@ +function f0(p0) { + var v0; + v0 = 1.7; + loop0: while (v0) { + v0 = p0; + } +} +f0(0); diff --git a/js/src/jit-test/tests/jaeger/loops/bug684621.js b/js/src/jit-test/tests/jaeger/loops/bug684621.js new file mode 100644 index 0000000000..9ca13bc7f4 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/bug684621.js @@ -0,0 +1,15 @@ +function runRichards() { + queue = new Packet; + Packet(queue, ID_DEVICE_A, KIND_DEVICE); + new Packet; +} +var ID_DEVICE_A = 4; +var KIND_DEVICE = 0; +Packet = function (queue) { + this.link = null + if (queue == null) return; + var peek, next = queue; + while ((peek = next.link) != null) + ID_HANDLER_B +}; +runRichards() diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-01.js b/js/src/jit-test/tests/jaeger/loops/hoist-01.js new file mode 100644 index 0000000000..0c0f12357a --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-01.js @@ -0,0 +1,35 @@ +function foo(x, n) { + for (var i = 0; i < n; i++) + x[i] = i; + var q = 0; + for (var i = 0; i < 10; i++) { + for (var j = 0; j < n; j++) + q += x[j]; + } + return q; +} + +var a = foo([], 100); +assertEq(a, 49500); + +function basic1(x) { + var q = 0; + for (var i = 0; i < 4; i++) + q += x[i]; + return q; +} + +var b = basic1([1,2,3,4]); +assertEq(b, 10); + +ARRAY = [1,2,3,4]; + +function basic2() { + var q = 0; + for (var i = 0; i < 4; i++) + q += ARRAY[i]; + return q; +} + +var c = basic2(); +assertEq(c, 10); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-02.js b/js/src/jit-test/tests/jaeger/loops/hoist-02.js new file mode 100644 index 0000000000..79c3f11952 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-02.js @@ -0,0 +1,12 @@ +function foo(x, n) { + var a = 0; + for (var i = 0; i < n; i++) + a += x[3]; + return a; +} + +var a = foo([1,2,3,4], 100); +assertEq(a, 400); + +var b = foo([1,2], 100); +assertEq(b, NaN); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-03.js b/js/src/jit-test/tests/jaeger/loops/hoist-03.js new file mode 100644 index 0000000000..c5c2ba6190 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-03.js @@ -0,0 +1,12 @@ +function foo(x, j, n) { + var a = 0; + for (var i = 0; i < n; i++) + a += x[j]; + return a; +} + +var a = foo([1,2,3,4], 3, 100); +assertEq(a, 400); + +var b = foo([1,2,3,4], 5, 100); +assertEq(b, NaN); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-04.js b/js/src/jit-test/tests/jaeger/loops/hoist-04.js new file mode 100644 index 0000000000..f17bd7f737 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-04.js @@ -0,0 +1,18 @@ +function bar(x, i) { + if (i == 50) + x.length = 0; +} + +function foo(x, j, n) { + var a = 0; + for (var i = 0; i < n; i++) { + var q = x[j]; + bar(x, i); + if (typeof q == 'undefined') + a++; + } + return a; +} + +var a = foo([1,2,3,4], 3, 100); +assertEq(a, 49); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-05.js b/js/src/jit-test/tests/jaeger/loops/hoist-05.js new file mode 100644 index 0000000000..b99b07893b --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-05.js @@ -0,0 +1,19 @@ +function bar(x, i) { + if (i == 50) + foo.arguments[1] = 20; +} + +function foo(x, j, n) { + var a = 0; + arguments; + for (var i = 0; i < n; i++) { + var q = x[j]; + bar(x, i); + if (typeof q == 'undefined') + a++; + } + return a; +} + +var a = foo([1,2,3,4], 3, 100); +assertEq(a, 0); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-06.js b/js/src/jit-test/tests/jaeger/loops/hoist-06.js new file mode 100644 index 0000000000..fc2919cda2 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-06.js @@ -0,0 +1,14 @@ + +function foo(x, n, y) { + var q = 0; + for (var j = 0; j < n; j++) { + if (x[j] < y) + q++; + } + assertEq(q, 1); +} + +var x = [1,2,3,4,5]; +var y = { valueOf: function() { x.length = 0; return 6; } }; + +var a = foo(x, 5, y); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-07.js b/js/src/jit-test/tests/jaeger/loops/hoist-07.js new file mode 100644 index 0000000000..a409f70559 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-07.js @@ -0,0 +1,17 @@ + +var res = 0; + +function foo(x, n, y) { + for (var j = 0; j < n; j++) { + x[j]; + y.f; + } +} + +var x = [1,2,3,4,5]; +var y = {}; +Object.defineProperty(y, 'f', {get:function() { res++; x.length = 2; }}); + +var a = foo(x, 5, y); + +assertEq(res, 5); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-08.js b/js/src/jit-test/tests/jaeger/loops/hoist-08.js new file mode 100644 index 0000000000..a695dd1a76 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-08.js @@ -0,0 +1,7 @@ + +function foo(x,n) { + for (var i = -5; i < n; i++) { + x[i] = 10; + } +} +foo([1,2,3,4,5],5); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-09.js b/js/src/jit-test/tests/jaeger/loops/hoist-09.js new file mode 100644 index 0000000000..1b398c7c26 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-09.js @@ -0,0 +1,11 @@ + +function foo(x, y) { + for (var i = 0; i < x.length; i++) { + x[i]; + if (i < 20) + y[i + 1] = 0; + } +} + +var q = Array(1,2,3,4,5); +foo(q, []); diff --git a/js/src/jit-test/tests/jaeger/loops/hoist-10.js b/js/src/jit-test/tests/jaeger/loops/hoist-10.js new file mode 100644 index 0000000000..43a3084c9d --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/hoist-10.js @@ -0,0 +1,39 @@ +function foo1(x, n) { + var i = 0; + while (--n >= 0) { + x[i++] = 0; + } +} +foo1([1,2,3,4,5],5); + +function foo2(x, n) { + var i = 0; + while (--n >= 0) { + x[i++] = 0; + } +} +foo2([1,2,3,4,5],6); + +function foo3(x, n) { + var i = 0; + while (n-- >= 0) { + x[i++] = 0; + } +} +foo3([1,2,3,4,5],5); + +function foo4(x, n) { + var i = 0; + while (--n >= 0) { + x[++i] = 0; + } +} +foo4([1,2,3,4,5],5); + +function foo5(x, n) { + var i = 0; + while (--n >= 0) { + x[++i] = 0; + } +} +foo5([1,2,3,4,5,6],5); diff --git a/js/src/jit-test/tests/jaeger/loops/integer-1.js b/js/src/jit-test/tests/jaeger/loops/integer-1.js new file mode 100644 index 0000000000..f0ef122f3c --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/integer-1.js @@ -0,0 +1,7 @@ +function foo(x) { + for (var i = 0x7ffffff0; i <= x; i++) { + var y = i; + } + return y; +} +assertEq(foo(0x7fffffff), 0x7fffffff); diff --git a/js/src/jit-test/tests/jaeger/loops/integer-2.js b/js/src/jit-test/tests/jaeger/loops/integer-2.js new file mode 100644 index 0000000000..129c92f1fe --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/integer-2.js @@ -0,0 +1,10 @@ +function foo(x, y, z, a) { + for (var i = 0x7fff; i < 0xffff; i++) { + var y = ((x + y) + (z + a[0])) | 0; + } + return y; +} +assertEq(foo(0x7fffffff, 0x7fffffff, 0x7fffffff, [0x7fffffff]), 2147385343); + +var q = [0x7fffffff]; +assertEq(eval("foo(0x7fffffff, 0x7fffffff, {valueOf:function() {q[0] = 'e4'; return 0;}}, q)"), 438048096); diff --git a/js/src/jit-test/tests/jaeger/loops/integer-3.js b/js/src/jit-test/tests/jaeger/loops/integer-3.js new file mode 100644 index 0000000000..26c7b76a8f --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/integer-3.js @@ -0,0 +1,7 @@ +function foo(x) { + for (var i = 0x7ffffff0; i <= x; i++) { + var y = (i % -2147483648); + } + return y + 5; +} +assertEq(foo(0x7fffffff), 0x7fffffff + 5); diff --git a/js/src/jit-test/tests/jaeger/loops/multiply-by-int32min.js b/js/src/jit-test/tests/jaeger/loops/multiply-by-int32min.js new file mode 100644 index 0000000000..bc692f1480 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/multiply-by-int32min.js @@ -0,0 +1,59 @@ +function foo() +{ + // Range analysis incorrectly computes a range for the multiplication. Once + // that incorrect range is computed, the goal is to compute a new value whose + // range analysis *thinks* is in int32_t range, but which goes past it using + // JS semantics. + // + // On the final iteration, in JS semantics, the multiplication produces 0, and + // the next addition 0x7fffffff. Adding any positive integer to that goes + // past int32_t range: here, (0x7fffffff + 5) or 2147483652. + // + // Range analysis instead thinks the multiplication produces a value in the + // range [INT32_MIN, INT32_MIN], and the next addition a value in the range + // [-1, -1]. Adding any positive value to that doesn't overflow int32_t range + // but *does* overflow the actual range in JS semantics. Thus omitting + // overflow checks produces the value 0x80000004, which interpreting as signed + // is (INT32_MIN + 4) or -2147483644. + // + // For this test to trigger the bug it was supposed to trigger: + // + // * 0x7fffffff must be the LHS, not RHS, of the addition in the loop, and + // * i must not be incremented using ++ + // + // The first is required because JM LoopState doesn't treat *both* V + mul and + // mul + V as not overflowing, when V is known to be int32_t -- only V + mul. + // (JM pessimally assumes V's type might change before it's evaluated. This + // obviously can't happen if V is a constant, but JM's puny little mind + // doesn't detect this possibility now.) + // + // The second is required because JM LoopState only ignores integer overflow + // on multiplications if the enclosing loop is a "constrainedLoop" (the name + // of the relevant field). Loops become unconstrained when unhandled ops are + // found in the loop. Increment operators generate a DUP op, which is not + // presently a handled op, causing the loop to become unconstrained. + for (var i = 0; i < 15; i = i + 1) { + var y = (0x7fffffff + ((i & 1) * -2147483648)) + 5; + } + return y; +} +assertEq(foo(), (0x7fffffff + ((14 & 1) * -2147483648)) + 5); + +function bar() +{ + // Variation on the theme of the above test with -1 as the other half of the + // INT32_MIN multiplication, which *should* result in -INT32_MIN on multiply + // (exceeding int32_t range). + // + // Here, range analysis again thinks the range of the multiplication is + // INT32_MIN. We'd overflow-check except that adding zero (on the LHS, see + // above) prevents overflow checking, so range analysis thinks the range is + // [INT32_MIN, INT32_MIN] when -INT32_MIN is actually possible. This direct + // result of the multiplication is already out of int32_t range, so no need to + // add anything to bias it outside int32_t range to get a wrong result. + for (var i = 0; i < 17; i = i + 1) { + var y = (0 + ((-1 + (i & 1)) * -2147483648)); + } + return y; +} +assertEq(bar(), (0 + ((-1 + (16 & 1)) * -2147483648))); diff --git a/js/src/jit-test/tests/jaeger/loops/property-1.js b/js/src/jit-test/tests/jaeger/loops/property-1.js new file mode 100644 index 0000000000..81a6b3c360 --- /dev/null +++ b/js/src/jit-test/tests/jaeger/loops/property-1.js @@ -0,0 +1,19 @@ + +function foo(x, y) { + var res = 0; + for (var i = 0; i < 10; i++) { + res += x.f + y[i]; + } + return res; +} + +var x = {f:0}; +var y = Array(10); +for (var i = 0; i < 10; i++) { + if (i == 5) + Object.defineProperty(Object.prototype, 5, {get: function() { x.f = 10; return 5}}); + else + y[i] = i; +} + +assertEq(foo(x, y), 85); -- cgit v1.2.3